hello, The master doesn't actually need a copy of the signed certs on the its drives.
All the master needs is the CA that signed the nodes. If you set your masters up that you access them via a CNAME such as 'puppet' all you need to really bother with is making sure your new master is on that name and has the same CA as before. You might need to set certname=puppet in puppet.conf in the [puppetmasterd] section to prevent your new master from creating certs when a new hostname is found. You only generally need the client certs to be able to do revokes and such. I have many regional masters, they all just share the same CA. The more correct way is to do the whole CA and Sub CA setup etc, but it just seemed too much of a hassle when I set mine up. With the same CA everywhere any one of my nodes can talk to any one of my masters, like I designate one master as the place where reports go, any machine can send in reports even if another master signed them. Also makes it trivial to recover from failure or to scale. ----- "Brian Akins" <brian.ak...@turner.com> wrote: > On 3/31/10 6:52 AM, "LOhit" <lohi...@gmail.com> wrote: > > BTW, I am using puppet to manage about 700+ hosts, > > Before we started using rsync and running puppet locally on each host, > we > actually added the SSL certs to SVN. Cheesy, but we could quickly, > and > easily, move clients from master to master. > > -- > Brian Akins > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
